The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2021-22880

CVE-2021-22880: Ruby on Rails PostgreSQL Adapter DoS Flaw

CVE-2021-22880 is a regular expression denial of service vulnerability in the Ruby on Rails PostgreSQL adapter affecting money type columns. This article covers the technical details, affected versions, and mitigation strategies.

Published: February 25, 2026

CVE-2021-22880 Overview

The PostgreSQL adapter in Active Record before versions 6.1.2.1, 6.0.3.5, and 5.2.4.5 contains a Regular Expression Denial of Service (ReDoS) vulnerability. Carefully crafted input can cause the input validation in the money type of the PostgreSQL adapter to spend excessive time in regular expression processing, resulting in the potential for a Denial of Service (DoS) attack. This vulnerability specifically impacts Rails applications using PostgreSQL with money type columns that accept user input.

Critical Impact

Attackers can exploit this ReDoS vulnerability to cause application unavailability by submitting specially crafted input to money type columns, potentially leading to service degradation or complete denial of service for affected Rails applications.

Affected Products

  • Ruby on Rails versions before 6.1.2.1
  • Ruby on Rails versions before 6.0.3.5
  • Ruby on Rails versions before 5.2.4.5
  • Fedora 32 and 33

Discovery Timeline

  • 2021-02-11 - CVE-2021-22880 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2021-22880

Vulnerability Analysis

This vulnerability is classified as a Regular Expression Denial of Service (ReDoS) attack, categorized under CWE-400 (Uncontrolled Resource Consumption). The flaw resides within the Active Record component of Ruby on Rails, specifically in the PostgreSQL adapter's handling of money type columns.

When user-supplied input is processed through the money type validation, the underlying regular expression exhibits catastrophic backtracking behavior when encountering maliciously crafted strings. This algorithmic complexity attack exploits the exponential time complexity inherent in poorly constructed regular expressions, causing the application to consume excessive CPU resources during pattern matching operations.

The vulnerability requires network access and can be exploited without authentication or user interaction, making it particularly concerning for publicly accessible Rails applications. The attack exclusively affects availability, as successful exploitation does not result in unauthorized data access or modification.

Root Cause

The root cause of this vulnerability lies in the inefficient regular expression pattern used for validating monetary input values in the PostgreSQL adapter. The regex pattern contains nested quantifiers or overlapping alternations that create exponential backtracking scenarios when processing adversarial input strings.

When the regex engine encounters input that partially matches multiple branches of the pattern, it must exhaustively explore all possible matching combinations before determining a final result. Attackers can craft input strings that maximize this backtracking behavior, effectively creating an algorithmic complexity attack against the validation logic.

Attack Vector

The attack vector for CVE-2021-22880 is network-based, requiring the attacker to submit malicious input to a Rails application endpoint that processes money type columns. The attack flow involves:

  1. The attacker identifies a Rails application using PostgreSQL with money type columns that accept user input
  2. A specially crafted string is submitted through forms, API endpoints, or other input mechanisms
  3. The Active Record PostgreSQL adapter attempts to validate the input using the vulnerable regex pattern
  4. The regex engine enters catastrophic backtracking, consuming CPU resources
  5. Application threads become blocked, potentially causing service unavailability

The vulnerability mechanism exploits inefficient regular expression processing in the money type validation. When the regex engine encounters a maliciously crafted input string, it enters a catastrophic backtracking state where it exponentially evaluates possible pattern matches. This results in CPU exhaustion as the server spends excessive time attempting to complete the pattern matching operation. For detailed technical analysis, refer to the Rails Discussion on CVE-2021-22880 and the HackerOne Report #1023899.

Detection Methods for CVE-2021-22880

Indicators of Compromise

  • Unusual CPU spikes on application servers processing PostgreSQL money type inputs
  • Extended request processing times for endpoints handling monetary data
  • Application log entries showing timeout errors or thread pool exhaustion
  • Abnormally long-running database queries involving money columns

Detection Strategies

  • Monitor application performance metrics for sudden increases in request processing time
  • Implement request timeout thresholds to terminate long-running input validation operations
  • Review application logs for patterns of repeated requests to money-type endpoints
  • Use Web Application Firewall (WAF) rules to detect and block potential ReDoS payloads

Monitoring Recommendations

  • Configure alerting for CPU utilization exceeding baseline thresholds on Rails application servers
  • Implement distributed tracing to identify slow request patterns targeting specific endpoints
  • Deploy application performance monitoring (APM) tools to track regex processing times
  • Establish baseline metrics for normal money type validation processing times

How to Mitigate CVE-2021-22880

Immediate Actions Required

  • Upgrade Ruby on Rails to version 6.1.2.1, 6.0.3.5, or 5.2.4.5 or later
  • Audit application code to identify all endpoints accepting money type input
  • Implement input length restrictions on money type columns to limit ReDoS impact
  • Consider implementing request timeouts as a temporary protective measure

Patch Information

Ruby on Rails has released patched versions addressing this vulnerability. Organizations should upgrade to the following minimum versions:

  • Rails 6.1.x: Upgrade to 6.1.2.1 or later
  • Rails 6.0.x: Upgrade to 6.0.3.5 or later
  • Rails 5.2.x: Upgrade to 5.2.4.5 or later

Additional security advisories have been issued by downstream distributions including Debian Security Advisory DSA-4929, Fedora, and NetApp Security Advisory NTAP-20210805-0009.

Workarounds

  • Implement strict input validation before data reaches the Active Record layer
  • Set maximum input length limits for money type fields at the application level
  • Use input sanitization to strip potentially malicious characters from monetary input
  • Configure web server or reverse proxy request timeouts to prevent extended processing
bash
# Configuration example - Nginx request timeout
location /api/payments {
    proxy_read_timeout 5s;
    proxy_connect_timeout 5s;
    proxy_send_timeout 5s;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeDOS
  • Vendor/TechRubyonrails
  • SeverityHIGH
  • CVSS Score7.5
  • EPSS Probability2.46%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-400
  • Technical References
  • Fedora Package Announcement
  • Fedora Package Announcement
  • NetApp Security Advisory NTAP-20210805-0009
  • Debian Security Advisory DSA-4929
  • Vendor Resources
  • Rails Discussion on CVE-2021-22880
  • HackerOne Report #1023899
  • Related CVEs
  • CVE-2026-33169: Ruby on Rails Active Support DoS Vulnerability
  • CVE-2026-33174: Ruby on Rails Active Storage DoS Vulnerability
  • CVE-2026-33176: Ruby on Rails Active Support DoS Vulnerability
  • CVE-2022-23517: Rails HTML Sanitizers DoS Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English